congratulations, you've broken the code! why this is a bad idea is left as an exercise to the reader.
On Thu, Apr 01, 2010 at 02:09:36PM +0200, Marcus M?lb?sch wrote: > Hello all, > > it occured to me that with a combination of some pass rules and > adding the address via overload to a sort of "whitelist" tables you > can implement a simple portknocking; using nothing but pf. > > The rules would look like this: > > pass in on $ext_if inet proto tcp from any to any port $knock1 > synproxy state (max-src-conn 1 overload <knock1>) > > pass in on $ext_if inet proto tcp from <knock1> to any port $knock2 > synproxy state (max-src-conn 1 overload <knock2>) > > pass in on $ext_if inet proto tcp from <knock2> to any port $knock3 > synproxy state (max-src-conn 1 overload <knock3>) > > pass in on $ext_if inet proto tcp from <knock2> to any port $knock3 > synproxy state (max-src-conn 1 overload <knock3>) > > pass in on $ext_if inet proto tcp from <knock3> to any port ssh > > No port knocking daemeon is needed, and with an appropriate blocking > rule the ssh port is closed to all. > > This works; all you have to do is to try to connect to each port > $knock<n> in order twice (since the max-src-conn is set to 1). > > I have two questions: > > 1) Is there any problem with that setup? I don't see any, but then > again, it seems so simple and I didn't find any howtos on the web. > Either nobody else did think of it before, or there is something > wrong with my reasoning. If so, I'm happy if you tell me :-) > > 2) I would like to knock on each port only once. However, setting > "max-src-conn 0" does not change anything. I would expect that the > first connect will fill the appropriate table, but it doesn't. Is > there something I do not understand, or must the <number> that is > allowed be equal or greater to one? > > Thanks for any pointers, > > Marcus
